The Juniper SRX offers 3 main types of NAT. These are source, destination and static. In this article we will be providing explanations and configuration examples for each.
As the name suggests source NAT translates the source IP address. There are 2 main types of source NAT these are:
Interface NAT – Traffic is translated to the IP address of the egress interface.
Address pools – Traffic is translated to an IP address within a pool.
There are a number of features and options with source NAT. These are:
Address Persistence – This ensures that all PAT translations for a given host are translated through the same IP address.
Disable PAT – When Port Address Translation (PAT) is disabled each address from a pool can only be assigned to a single host. An overflow pool can be defined to use the egress interface address should the pool become depleted.
Overflow Pool Interface – This allows for addresses to be PAT/NAT`d using the egress interface address should the previous pool become exhausted.
Port Utilization – This provides the ability to alarm (including SNMP) at the point that the pool reaches a given threshold.
Address Shifting – This provides the ability to specifies the IP address where the original source IP address range begins. For for example allows you to map a 10.0.0.0/24 to 192.168.1.1/24 so that 10.0.0.1 would map to 192.168.1.1 and so on.
Destination NAT is the translation of the destination IP address (and optionally the destination port). Destination NAT is commonly used for port forwarding scenario’s where multiple services are mapped (using a single) to many different servers .
Some common destination NAT “feature(s)” are:
Address Pools – This allows for a pool of destination addresses to be defined.
Static NAT allows for the translation in both directions. This allows for the source IP address to be translation for traffic originating from the server whilst also provide destination NAT for traffic destined inbound to the server.
NAT Flow Process
Below shows the NAT process that traffic takes when transversing the SRX.
Based on the diagram above this raises 2 key requirements.
- Destination IP translations – The security policy is written using the post translated address.
- Source IP translations – The security policy is written using the pre translated address.
Within this example all address from the trust zone destined to the untrust zone would be source NAT`d to the egress interface IP address.
[email protected]# edit security nat source rule-set nat-trust-untrust
[edit security nat source rule-set nat-trust-untrust]
[email protected]# set from zone trust
[email protected]# set to zone untrust
[email protected]# set rule source-nat-rule
[email protected]# set rule source-nat-rule match source-address 0.0.0.0
[email protected]# set rule source-nat-rule then source-nat interface
Within this example we translate the destination IP and port of 220.127.116.11:2222 to 192.168.1.5:22.
Note : When adding the security policy for access into your server you must add the real IP address / Port.
[email protected]# set security zones security-zone trust address-book address SERVERA-REALIP 192.168.1.5/32
[email protected]# set security nat destination rule-set dst-nat from zone untrust
[email protected]# set security nat destination rule-set dst-nat rule rule1 match destination-address 18.104.22.168/32
[email protected]# set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
[email protected]# set security nat destination rule-set dst-nat rule rule1 then destination-nat pool DNAT-POOL-SERVERA
Within the following commands the host 192.168.1.1 will be accessible via the destination address 22.214.171.124 via the untrust zone. Like wise any traffic coming from this host will be source NAT`d behind 126.96.36.199.
[email protected]# edit security nat static rule-set static-nat
[edit security nat static rule-set static-nat]
Proxy ARP NAT
NAT proxy ARP instructs the SRX to proxy ARP (reply) on behalf of the IP address assigned within the subnet of the ingress interface.
Below shows you commands required if you wanted to publish (proxy arp) for the addresses 10.1.1.1-5 on interface fe-0/0/0.0.
[email protected]# set security nat proxy-arp interface fe-0/0/0.0 address 10.1.1.1 to 10.1.1.5
- show security nat source rule all
- show security nat source pool all
- show security nat source summary
- show security nat interface-nat-ports
- show security flow session
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial